International Association
for Cryptologic Research

The IACR Fellows Program recognizes outstanding IACR members for technical and professional contributions to the field of cryptology. Today we are pleased to announce eight members that have been elevated to the rank of Fellow for 2024:

• Anne Canteaut, for influential contributions to symmetric cryptography and Boolean functions, and for exemplary service to the symmetric cryptography community.
• Joan Feigenbaum, for highly influential contributions to the foundations of trust and secure computation, and for service to the IACR.
• Alfred Menezes, for fundamental contributions to the theory and practice of elliptic curve cryptography, and for service to the cryptographic community.
• Kobbi Nissim, for fundamental contributions to the theory and practice of data privacy, and for service to the cryptographic community.
• Chris Peikert, for fundamental contributions to the functionality, efficiency, and security of lattice-based cryptography, and for service to the IACR.
• David Pointcheval, for fundamental contributions to the design of public-key cryptosystems and their provable security analysis, for educational leadership, and for outstanding service to the IACR.
• François-Xavier Standaert, for fundamental contributions to the theory and practice of cryptography in the presence of leakage, and for service to the IACR.
• Brent Waters, for the development of attribute-based encryption, functional encryption, and other foundational concepts in cryptography, and for service to the cryptographic community.

Congratulations to the new fellows! More information about the IACR Fellows Program can be found at https://iacr.org/fellows/.

This postdoctoral position is for 3 years (with possible extension to up to 4 years) and is linked with a research effort aiming to apply cryptographic methods for studying the security aspects of Artificial Intelligence (AI). Cryptographic approaches will be tested for attacks on AI and existing protection methods in cryptography will be applied for security of AI. The candidate will have the freedom to explore new related topics and drive the research in the direction of security of AI and cryptographic elements. The postdoc will work with a team at the Selmer Center in Secure Communication, including among others Adj. Prof. Vincent Rijmen, Adj. Prof. Sondre Rønjom and Prof. Lilya Budaghyan. Please apply online via the link where more information is available: https://www.jobbnorge.no/en/available-jobs/job/260444/lead-ai-postdoctoral-research-fellow-position-within-cryptography-and-security-of-ai

Closing date for applications:

Contact: Prof. Budaghyan

More information: https://www.jobbnorge.no/en/available-jobs/job/260444/lead-ai-postdoctoral-research-fellow-position-within-cryptography-and-security-of-ai

Fuzzy password authenticated key exchange (fuzzy PAKE) protocols enable two parties to securely exchange a session-key for further communication. The parties only need to share a low entropy password. The passwords do not even need to be identical, but can contain some errors. This may be due to typos, or because the passwords were created from noisy biometric readings. In this paper we provide an overview and comparison of existing fuzzy PAKE protocols. Furthermore, we analyze certain security properties of these protocols and argue that the protocols can be expected to be slightly more secure in practice than can be inferred from their theoretical guarantees.

Despite much progress, general-purpose secure multi-party computation (MPC) with active security may still be prohibitively expensive in settings with large input datasets. This particularly applies to the secure evaluation of graph algorithms, where each party holds a subset of a large graph.

Recently, Araki et al. (ACM CCS '21) showed that dedicated solutions may provide significantly better efficiency if the input graph is sparse. In particular, they provide an efficient protocol for the secure evaluation of "message passing" algorithms, such as the PageRank algorithm. Their protocol's computation and communication complexity are both $\tilde{O}(M\cdot B)$ instead of the $O(M^2)$ complexity achieved by general-purpose MPC protocols, where $M$ denotes the number of nodes and $B$ the (average) number of incoming edges per node. On the downside, their approach achieves only a relatively weak security notion; $1$-out-of-$3$ malicious security with selective abort.

In this work, we show that PageRank can instead be captured efficiently as a restricted multiplication straight-line (RMS) program, and present a new actively secure MPC protocol tailored to handle RMS programs. In particular, we show that the local knowledge of the participants can be leveraged towards the first maliciously-secure protocol with communication complexity linear in $M$, independently of the sparsity of the graph. We present two variants of our protocol. In our communication-optimized protocol, going from semi-honest to malicious security only introduces a small communication overhead, but results in quadratic computation complexity $O(M^2)$. In our balanced protocol, we still achieve a linear communication complexity $O(M)$, although with worse constants, but a significantly better computational complexity scaling with $O(M\cdot B)$. Additionally, our protocols achieve security with identifiable abort and can tolerate up to $n-1$ corruptions.

Private set intersection (PSI) is a cryptographic functionality for two parties to learn the intersection of their input sets, without leaking any other information. Circuit-PSI is a stronger PSI functionality where the parties learn only a secret-shared form of the desired intersection, thus without revealing the intersection directly. These secret shares can subsequently serve as input to a secure multiparty computation of any function on this intersection.

In this paper we consider several settings in which parties take part in multiple Circuit-PSI executions with the same input set, and aim to amortize communications and computations. To that end, we build up a new framework for Circuit-PSI around generalizations of oblivious (programmable) PRFs that are extended with offline setup phases. We present several efficient instantiations of this framework with new security proofs for this setting. As a side result, we obtain a slight improvement in communication and computation complexity over the state-of-the art Circuit-PSI protocol by Bienstock et al. (USENIX '23). Additionally, we present a novel Circuit-PSI protocol from a PRF with secret-shared outputs, which has linear communication and computation complexity in the parties' input set sizes, and incidentally, it realizes ``almost malicious'' security, making it the first major step in this direction since the protocol by Huang et al. (NDSS '12). Lastly, we derive the potential amortizations over multiple protocol executions, and observe that each of the presented instantiations is favorable in at least one of the multiple-execution settings.

Third-party private set intersection (PSI) enables two parties, each holding a private set to compute their intersection and reveal the result only to an inputless third party. In this paper, we present efficient third-party PSI protocols, which significantly lower the computational workload compared to prior work. Our work is motivated by real-world applications such as contact tracing whereby expedition is essential while concurrently preserving privacy. Our construction attains a near-linear computational complexity of $O(n^{1+\varepsilon})$ for large dataset size $n$, where $\varepsilon>0$ is any fixed constant, and achieves post-quantum security. For a quantum-safe third-party PSI protocol, this significantly improves upon the current known best of $O(n^{2.5+o(1)})$. Our improvements stem from algorithmic changes and the incorporation of new techniques along with precise parameter selections to achieve a tight asymptotic bound.

The substitution box (S-box) is often used as the only nonlinear component in symmetric-key ciphers, leading to a significant impact on the implementation performance of ciphers in both classical and quantum application scenarios by S-box circuits. Taking the Pauli-X gate, the CNOT gate, and the Toffoli gate (i.e., the NCT gate set) as the underlying logic gates, this work investigates the quantum circuit implementation of S-boxes based on the SAT solver. Firstly, we propose encoding methods of the logic gates and the NCT-based circuit, based on which we construct STP models for implementing S-boxes. By applying the proposed models to the S-boxes of several well-known cryptographic algorithms, we construct optimal implementations with different criteria for the 4-bit S-boxes and provide the implementation bounds of different criteria for the 5-bit S-boxes. Since S-boxes in the same affine equivalence class share most of the important properties, we then build STP models to further investigate optimizing S-box circuits based on affine equivalence. According to the applications, for almost all the tested 4-bit S-boxes, there always exists an equivalent S-box that can be implemented with half the number of logic gates. Besides, we encode some important cryptographic properties and construct STP models to design S-boxes with given criteria configurations on implementation and properties. As an application, we find an S-box with the same cryptographic properties as the S-box of KECCAK that can be implemented with only 5 NCT gates, even though the application of our models indicates that implementing the KECCAK S-box requires more than 9 NCT gates. Notably, the inputs of the proposed models are tweakable, which makes the models possess some functions not currently available in the public tools for constructing optimized NCT-based circuits for S-boxes.

Let $\star: G \times X \rightarrow X$ be the action of a group $G$ of size $N=|G|$ on a set $X$. Let $y = g \star x \in X$ be a group action dlog instance, where our goal is to compute the unknown group element $g \in G$ from the known set elements $x,y \in X$. The Galbraith-Hess-Smart (GHS) collision finding algorithm solves the group action dlog in $N^{\frac 1 2}$ steps with polynomial memory. We show that group action dlogs are suitable for precomputation attacks. More precisely, for any $s,t$ our precomputation algorithm computes within $st$ steps a hint of space complexity $s$, which allows to solve any group action dlog in an online phase within $t$ steps. A typical instantiation is $s=t=N^{\frac 1 3}$, which gives precomputation time $N^{\frac 2 3}$ and space $N^{\frac 1 3}$, and online time only $N^{\frac 1 3}$.

Moreover, we show that solving multiple group action dlog instances $y_1, \ldots , y_m$ allows for speedups. Namely, our collision finding algorithm solves $m$ group action dlogs in $\sqrt{m}N^{\frac 1 2}$ steps, instead of the straight-forward $mN^{\frac 1 2}$ steps required for running $m$ times GHS. Interestingly, our multi instance algorithm (with precomputation) can be seen as a special case of our precomputation algorithm. Our multiple instance approach can be freely combined with our precomputations, allowing for a variety of tradeoffs.

Technically, our precomputation and multiple instance group action dlog attacks are adaptations of the techniques from the standard dlog setting in abelian groups. While such an adaptation seems natural, it is per se unclear which techniques transfer from the dlog to the more restricted group dlog setting, for which $X$ does not offer a group structure.

Our algorithms have direct implications for all group action based cryptosystems, such as CSIDH and its variants. We provide experimental evidence that our techniques work well in the CSIDH setting.

In this short note we review the technique proposed at ToSC 2018 by Sadeghi et al. for attacks built upon several related-tweakey impossible differential trails. We show that the initial encryption queries are improper and lead the authors to misevaluating a filtering value in the key recovery phase. We identified 4 papers (from Eurocrypt, DCC, ToSC and ePrint) that follow on the results of Sadeghi et al., and in three of them the issue was propagated. We thus present a careful analysis of these types of attacks and give generic complexity formulas similar to the ones proposed by Boura et al. at Asiacrypt 2014. We apply these to the aforementioned papers and provide patched versions of their attacks. The main consequence is an increase in the memory complexity. We show that in many cases (a notable exception being quantum impossible differentials) it is possible to recover the numeric estimates of the flawed analysis, and in all cases we were able to build a correct attack reaching the same number of rounds.

In this work-in-progress, we present a series of protocols to efficiently prove statements about strings in context-free grammars (CFGs). Our main protocol for proving proofs of correct parsing for strings in a CFG flexibly accommodates different instantiations of zero-knowledge proof systems as well as accumulation schemes. While improvements in the modular cryptographic primitives can be carried over for improvements in our protocols, even simpler proof systems, which do not support state-of-the-art techniques such as permutation checks can generate proofs of correct parsing of a string of size $n$ by proving the correctness of a circuit of size $\mathcal{O}(cn)$, where $c$ is the cost of verifying a set membership proof in the chosen accumulation scheme.

Adaptor signatures can be viewed as a generalized form of the standard digital signature schemes where a secret randomness is hidden within a signature. Adaptor signatures are a recent cryptographic primitive and are becoming an important tool for blockchain applications such as cryptocurrencies to reduce on-chain costs, improve fungibility, and contribute to off-chain forms of payment in payment-channel networks, payment-channel hubs, and atomic swaps. However, currently used adaptor signature constructions are vulnerable to quantum adversaries due to Shor’s algorithm. In this work, we introduce SQIAsignHD, a new quantum-resistant adaptor signature scheme based on isogenies of supersingular elliptic curves, using SQIsignHD - as the underlying signature scheme - and exploiting the idea of the artificial orientation on the supersingular isogeny Diffie-Hellman key exchange protocol, SIDH, as the underlying hard relation. We, furthermore, show that our scheme is secure in the Quantum Random Oracle Model (QROM).

Running machine learning algorithms on encrypted data is a way forward to marry functionality needs common in industry with the important concerns for privacy when working with potentially sensitive data. While there is already a growing field on this topic and a variety of protocols, mostly employing fully homomorphic encryption or performing secure multiparty computation (MPC), we are the first to propose a protocol that makes use of a specialized encryption scheme that allows to do secure comparisons on ciphertexts and update these ciphertexts to be encryptions of the same plaintexts but under a new key. We call this notion Updatable Order-Revealing Encryption (uORE) and provide a secure construction using a key-homomorphic pseudorandom function. In a second step, we use this scheme to construct an efficient three-round protocol between two parties to compute a decision tree (or forest) on labeled data provided by both parties. The protocol is in the passively-secure setting and has some leakage on the data that arises from the comparison function on the ciphertexts. We motivate how our protocol can be compiled into an actively-secure protocol with less leakage using secure enclaves, in a graceful degradation manner, e.g. falling back to the uORE leakage, if the enclave becomes fully transparent. We also analyze the leakage of this approach, giving an upper bound on the leaked information. Analyzing the performance of our protocol shows that this approach allows us to be much more efficient (especially w.r.t. the number of rounds) than current MPC-based approaches, hence allowing for an interesting trade-off between security and performance.

Fully Homomorphic Encryption (FHE) is a powerful tool that brings privacy and security to all sorts of applications by allowing us to perform additions and multiplications directly on ciphertexts without the need of the secret key. Some applications of FHE that were previously overlooked but have recently been gaining traction are data compression and image processing. Practically, FHE enables applications such as private satellite searching, private object recognition, or even encrypted video editing.

We propose a practical FHE-friendly image compression and processing pipeline where an image can be compressed and encrypted on the client-side, sent to a server which decompresses it homomorphically and then performs image processing in the encrypted domain before returning the encrypted result to the client.

Inspired by JPEG, our pipeline also relies on discrete cosine transforms and quantization to simplify the representation of an image in the frequency domain, making it possible to effectively use a compression algorithm. This pipeline is designed to be compatible with existing image-processing techniques in FHE, such as pixel-wise processing and convolutional filters. Using this technique, a high-definition ($1024\times1024$) image can be homomorphically decompressed, processed with a convolutional filter and re-compressed in under $24.7$s, while using ~8GB memory.

Temporary contract | 12 Months | Belval Are you passionate about research? So are we! Come and join us The Luxembourg Institute of Science and Technology (LIST) is a Research and Technology Organization (RTO) active in the fields of materials, environment and IT. Do you want to know more about LIST? Check our website: https://www.list.lu/ Discover our IT for Innovative Services department: https://www.list.lu/en/informatics/ How will you contribute? Your specific mission includes, but is not limited to, participating into the following activities along the project partners: • To analyze the security of wireless networks in dedicated scenarios, e.g., stage control in theatres. • To analyze the independences (security-oriented) between different services which use the same wireless network. • To prototype ML-based vulnerability and attack detection technologies for wireless networks. • To develop open-source software. • To validate the effectiveness of developed technologies. You are in charge of disseminating and promoting the research activities that will be carried out, whether through publications, prototype development or technical reports. You’re highly motivated and have proven skills in machine learning & cybersecurity to address the security concerns in wireless communication networks. You have already good experience in designing network intrusion detection solutions that use advanced machine learning techniques which can offer significant advantages over other methods. And last, but not least, you’re a great practitioner of cybersecurity technique benchmarking and testing in simulated environments. Is Your profile described below? Are you our future colleague? Apply now! As to join us, you: • Hold a PhD. degree in Computer Science or related disciplines • Have good programming skills (particularly experience on Python and C++) • Have good track record on wireless network security, such as vulnerability detection and anomaly detection in Wifi and Telecom netw

Closing date for applications:

Contact: Schwartz Cathy

More information: https://www.list.lu/en/jobs/

This postdoctoral position is for 3 years (with possible extension to up to 4 years) and is linked with a research effort aiming to apply cryptographic methods for studying the security aspects of Artificial Intelligence (AI). Cryptographic approaches will be tested for attacks on AI and existing protection methods in cryptography will be applied for security of AI. The candidate will have the freedom to explore new related topics and drive the research in the direction of security of AI and cryptographic elements. The postdoc will work with a team at the Selmer Center in Secure Communication, including among others Adj. Prof. Vincent Rijmen, Adj. Prof. Sondre Rønjom and Prof. Lilya Budaghyan.

Closing date for applications:

Contact: Prof. Budaghyan: lilya.budaghyan@uib.no

More information: https://www.jobbnorge.no/en/available-jobs/job/260444/lead-ai-postdoctoral-research-fellow-position-within-cryptography-and-security-of-ai

Ready to join the future of innovation in our team at NXP? We are expanding our Trust Provisioning Team at NXP Gratkorn!

Trust Provisioning is the secure creation, insertion, and distribution of confidential data and key material for chip personalization, including product configuration and development of software for underlying production flows.

Key Responsibilities:

Design and implementation of secure web services for key and data distribution

Design and implementation of unit and integration tests for automated test execution in CI/CD pipelines, including quality aspects

Contributing to architectural and security concepts to ensure end-to-end protection of sensitive key material and data

Closing date for applications:

Contact: Kerstin Krauss

More information: https://nxp.wd3.myworkdayjobs.com/careers/job/Gratkorn/Secure-Web-Service-Java-Software-Engineer-for-Trust-Provisioning--m-f-d-_R-10051290

The IBM Zürich Research Lab invites applications for a PhD position in the area of Quantum-Safe Cryptography. The position is fully funded by SNF through the grant CryptonIs: Advanced Cryptography Based on Isogenies. The successful candidate will conduct research on cryptographic algorithms and schemes pertaining to the area of Isogeny-based Cryptography, a branch of Quantum-Safe Cryptography grounded in Number Theory and Arithmetic Geometry, under the supervision of Drs. Andrea Basso and Luca De Feo. They will join a diverse team of cryptographers working on all aspects of theoretical and applied cryptography. We are looking for candidates with an interest in the following topics Algorithmic Number Theory, Computational Algebraic Geometry, Cryptographic primitives and protocols, Cryptanalysis.

Closing date for applications:

Contact: Andrea Basso and Luca De Feo for questions. Apply online via the form at the given link. Only applications received before May 1st are guaranteed to be taken in consideration.

More information: https://www.zurich.ibm.com/careers/2024_008.html

We are pleased to announce an opportunity for a highly motivated individual to join our team at Universitat Autònoma de Barcelona as a Postdoctoral Researcher in Blockchain Technology. This position offers a unique chance to contribute to cutting-edge research and innovation in the field of distributed ledger technologies.

Responsibilities:

• Conducting original research in blockchain technology, with a focus on cryptographic protocols, consensus mechanisms, and scalability solutions.
• Developing novel algorithms and protocols to address key challenges in blockchain scalability, security, and privacy.
• Publishing high-quality research papers in top-tier conferences and journals.
• Mentoring graduate students and contributing to academic initiatives within the department.

Qualifications:

• A Ph.D. in Computer Science, Mathematics, or a related field, with a strong publication record in blockchain or cryptography.
• Expertise in cryptographic protocols and blockchain technology, with demonstrated proficiency in Python or Rust programming languages.
• Familiarity with Solidity programming for smart contract development is highly desirable.
• Strong analytical and problem-solving skills, with a passion for exploring new ideas and pushing the boundaries of research.
• Excellent communication and collaboration abilities, with a track record of working effectively in multidisciplinary teams.

This is a fixed-term position with a contract lasting until December 31, 2025.

To apply, please submit the following documents to jordi.herrera@uab.cat with subject [Blockchain Postdoctoral Position] before May 2, 2024:

• A detailed CV including a list of publications.
• A cover letter describing your research interests, relevant experience, and career goals.
• Contact information for at least three professional references.

Closing date for applications:

Contact: jordi.herrera@uab.cat

Side-channel analysis is an important part of the security evaluations of hardware components and more specifically of those that include cryptographic algorithms. Profiling attacks are among the most powerful attacks as they assume the attacker has access to a clone device of the one under attack. Using the clone device allows the attacker to make a profile of physical leakages linked to the execution of algorithms. This work focuses on the characteristics of this profile and the information that can be extracted from its application to the attack traces. More specifically, looking at unsuccessful attacks, it shows that by carefully ordering the attack traces used and limiting their number, better results can be achieved with the same profile. Using this method allows us to consider the classical attack method, i.e. where the traces are randomly ordered, as the worst case scenario. The best case scenario is when the attacker is able to successfully order and select the best attack traces. A method for identifying efficient ordering when using deep learning models as profiles is also provided. A new loss function "Scoring loss" is dedicated to training machine learning models that give a score to the attack prediction and the score can be used to order the predictions.

Hash chain based password systems are a useful way to guarantee authentication with one-time passwords. The core idea is specified in RFC 1760 as S/Key. At CCS 2017, Kogan et al. introduced T/Key, an improved password system where one-time passwords are only valid for a limited time period. They proved security of their construction in the random oracle model under a basic modeling of the adversary. In this work, we make various advances in the analysis and instantiation of hash chain based password systems. Firstly, we describe a slight generalization called U/Key that allows for more flexibility in the instantiation and analysis, and we develop a security model that refines the adversarial strength into offline and online complexity, that can be used beyond the random oracle model, and that allows to argue multi-user security directly. Secondly, we derive a new security proof of U/Key in the random oracle model, as well as dedicated and tighter security proofs of U/Key instantiated with a sponge construction and a truncated permutation. When applied to T/Key, these results improve significantly over the earlier results: whereas the originally suggested instantiation using SHA-256 achieved 128 bits of security using a hash function with a state size of 384 bits, with a truncated permutation construction one can achieve 128 bits of security already with a state size of 256 bits.